Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-09-2021 07:12
Static task
static1
Behavioral task
behavioral1
Sample
1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
Resource
win10v20210408
General
-
Target
1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
-
Size
460KB
-
MD5
3b6f38ea6928bca0be7ce6cf39ec8959
-
SHA1
5ea0766825327580776bc88add0e9267d97965e5
-
SHA256
1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79
-
SHA512
d8355e551f8cfab86523036a69407a86723add802a361eeaf54c65301ed5c4b88713aada239e6e41ac9b326e74f8652488498126d6883b58c5425f0f50543ec0
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\gjkE = "\"C:\\Users\\Admin\\AppData\\Roaming\\gjkE.exe\"" 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exedescription pid process target process PID 3128 set thread context of 2860 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepid process 3272 powershell.exe 3272 powershell.exe 3156 powershell.exe 3156 powershell.exe 3156 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 2508 powershell.exe 2508 powershell.exe 2508 powershell.exe 3680 powershell.exe 3680 powershell.exe 3680 powershell.exe 3996 powershell.exe 3996 powershell.exe 3996 powershell.exe 360 powershell.exe 360 powershell.exe 360 powershell.exe 1844 powershell.exe 1844 powershell.exe 1844 powershell.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepid process 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exedescription pid process Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 3680 powershell.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeDebugPrivilege 360 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 1436 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: SeDebugPrivilege 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: 33 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: SeIncBasePriorityPrivilege 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: 33 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: SeIncBasePriorityPrivilege 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: 33 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: SeIncBasePriorityPrivilege 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: 33 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: SeIncBasePriorityPrivilege 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: 33 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: SeIncBasePriorityPrivilege 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: 33 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: SeIncBasePriorityPrivilege 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: 33 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: SeIncBasePriorityPrivilege 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: 33 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: SeIncBasePriorityPrivilege 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: 33 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe Token: SeIncBasePriorityPrivilege 2860 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exedescription pid process target process PID 3128 wrote to memory of 3272 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3272 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3272 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3156 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3156 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3156 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 1292 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 1292 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 1292 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 2508 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 2508 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 2508 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3680 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3680 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3680 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3996 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3996 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 3996 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 360 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 360 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 360 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 1844 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 1844 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 1844 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 1436 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 1436 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 1436 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 2104 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 2104 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 2104 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe powershell.exe PID 3128 wrote to memory of 2860 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe PID 3128 wrote to memory of 2860 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe PID 3128 wrote to memory of 2860 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe PID 3128 wrote to memory of 2860 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe PID 3128 wrote to memory of 2860 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe PID 3128 wrote to memory of 2860 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe PID 3128 wrote to memory of 2860 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe PID 3128 wrote to memory of 2860 3128 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe 1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe"C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exeC:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe.logMD5
4a30a8132195c1aa1a62b78676b178d9
SHA1506e6d99a2ba08c9d3553af30daaaa0fc46ae4be
SHA25671636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20
SHA5123272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09
-
memory/360-211-0x0000000000000000-mapping.dmp
-
memory/360-223-0x0000000007382000-0x0000000007383000-memory.dmpFilesize
4KB
-
memory/360-222-0x0000000007380000-0x0000000007381000-memory.dmpFilesize
4KB
-
memory/1292-157-0x0000000004AA2000-0x0000000004AA3000-memory.dmpFilesize
4KB
-
memory/1292-147-0x0000000000000000-mapping.dmp
-
memory/1292-156-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/1436-245-0x0000000000000000-mapping.dmp
-
memory/1436-258-0x0000000007302000-0x0000000007303000-memory.dmpFilesize
4KB
-
memory/1436-256-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/1844-229-0x0000000000000000-mapping.dmp
-
memory/1844-240-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/1844-241-0x00000000070C2000-0x00000000070C3000-memory.dmpFilesize
4KB
-
memory/2104-261-0x0000000000000000-mapping.dmp
-
memory/2104-273-0x0000000006920000-0x0000000006921000-memory.dmpFilesize
4KB
-
memory/2104-274-0x0000000006922000-0x0000000006923000-memory.dmpFilesize
4KB
-
memory/2508-172-0x0000000007380000-0x0000000007381000-memory.dmpFilesize
4KB
-
memory/2508-173-0x0000000007382000-0x0000000007383000-memory.dmpFilesize
4KB
-
memory/2508-163-0x0000000000000000-mapping.dmp
-
memory/2860-286-0x000000000040C26E-mapping.dmp
-
memory/2860-293-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/3128-119-0x0000000004CF0000-0x00000000051EE000-memory.dmpFilesize
5.0MB
-
memory/3128-117-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/3128-114-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/3128-116-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/3128-118-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/3156-140-0x0000000002A70000-0x0000000002A71000-memory.dmpFilesize
4KB
-
memory/3156-141-0x0000000002A72000-0x0000000002A73000-memory.dmpFilesize
4KB
-
memory/3156-131-0x0000000000000000-mapping.dmp
-
memory/3156-142-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/3156-143-0x00000000078D0000-0x00000000078D1000-memory.dmpFilesize
4KB
-
memory/3156-144-0x0000000007B50000-0x0000000007B51000-memory.dmpFilesize
4KB
-
memory/3272-129-0x0000000007C80000-0x0000000007C81000-memory.dmpFilesize
4KB
-
memory/3272-128-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/3272-123-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/3272-125-0x0000000006E30000-0x0000000006E31000-memory.dmpFilesize
4KB
-
memory/3272-126-0x0000000006E32000-0x0000000006E33000-memory.dmpFilesize
4KB
-
memory/3272-127-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/3272-124-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/3272-130-0x0000000007CF0000-0x0000000007CF1000-memory.dmpFilesize
4KB
-
memory/3272-120-0x0000000000000000-mapping.dmp
-
memory/3680-191-0x0000000006F92000-0x0000000006F93000-memory.dmpFilesize
4KB
-
memory/3680-189-0x0000000006F90000-0x0000000006F91000-memory.dmpFilesize
4KB
-
memory/3680-179-0x0000000000000000-mapping.dmp
-
memory/3996-206-0x0000000007160000-0x0000000007161000-memory.dmpFilesize
4KB
-
memory/3996-195-0x0000000000000000-mapping.dmp
-
memory/3996-207-0x0000000007162000-0x0000000007163000-memory.dmpFilesize
4KB